Java Runtime Environment 7.0 Update 13 with 50 fixes

Oracle pushes Java 7 Update 13 out early, after one of 50 vulnerabilities addressed is exploited in the wild

Just a day after news broke that Apple had blocked Java for the second time this month, Oracle on Friday announced the release of Java 7 Update 13 to address 50 vulnerabilities. The patch comes more than two weeks early (the February 2013 Critical Patch was originally scheduled for February 19), but it was rushed out because Oracle was notified of “active exploitation in the wild of one of the vulnerabilities affecting the Java Runtime Environment (JRE) in desktop browsers.”

Oracle says after it received reports of a vulnerability in JRE, it quickly confirmed it and then proceeded with “accelerating normal release testing” for the regular Java update, which it says already contained a fix for the issue. “Oracle felt that, releasing this Critical Patch Update two weeks ahead of our intended schedule, instead of releasing a one-off fix through a Security Alert, would be more effective in helping preserve the security posture of Java customers,” the company said.

Oddly, the last update was number 11, and it’s not immediately clear what happened to twelfth. Nevertheless, if you use Java, you can download the latest update now from the Java Control Panel or directly from Oracle’s website here: Java SE 7u13.

Oracle says 44 of 50 vulnerabilities only affect Java in Internet browsers. This means they can only be exploited on desktops through Java Web Start applications or Java applets, but that’s exactly where consumers are hit.

Oracle is an enterprise company, however, and that is where its focus lies. Yet this rushed update, as well as recent security improvements, shows the company is starting to care more and more about all its Java users.

Three of the fixed vulnerabilities apply to client and server deployment of Java, meaning they can be exploited on desktops as well as servers (by supplying malicious input to APIs in the vulnerable server components). Two of the vulnerabilities only apply to server deployment and one vulnerability affects the installation of JRE.

It’s not clear which one of the 44 was being exploited in the wild, but multiple vulnerabilities have been publicly discussed since Update 11. For example, at least one was being sold for $5,000 on January 16, two we reported about on January 18, and another one was mentioned on January 28.